# Bastion host users could overwrite and tamper with an existing log file
# using “script” if they knew the exact file name. I take several measures
# to obfuscate the file name:
# 1. Add a random suffix to the log file name.
# 2. Prevent bastion host users from listing the folder containing log
# files.
# This is done by changing the group owner of “script” and setting GID.
chown root:ec2-user /usr/bin/script
chmod g+s /usr/bin/script